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Abstract: We present an algorithm for computing a separating linear form of a system of 
bivariate polynomials with integer coefficients, that is a linear combination of the variables that 
takes different values when evaluated at distinct (complex) solutions of the system. In other words, 
a separating linear form defines a shear of the coordinate system that sends the algebraic system in 
generic position, in the sense that no two distinct solutions are vertically aligned. The computation 
of such linear forms is at the core of most algorithms that solve algebraic systems by computing 
rational parameterizations of the solutions and, moreover, the computation a separating linear 
form is the bottleneck of these algorithms, in terms of worst-case bit complexity. 
Given two bivariate polynomials of total degree at most d with integer coefficients of bitsize at 
most r, our algorithm computes a separating linear form in Os(rf 8 + dJr) bit operations in the 
worst case, where the previously known best bit complexity for this problem was Osid 10 + d 9 r) 
(where O refers to the complexity where poly logarithmic factors are omitted and Ob refers to the 
bit complexity). 
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Forme lineaire separante de systemes bivaries 



Resume : Nous presentons un algorithme pour calculer une forme lineaire separante d'un 
systeme de polynomes a deux variables a coefficients entiers, c'est-a-dire une combinaison lineaire 
des variables qui prend des valeurs differentes quand elle est evaluee en des solutions (complexes) 
distinctes du systeme. En d'autres termes, une forme lineaire separante definit un changement 
de coordonnees qui met le systeme algebrique en position generique, au sens ou deux solutions 
distinctes ne sont jamais verticalement alignees. Le calcul de ces formes lineaires est au coeur 
de la plupart des algorithmes qui permettent de resoudre des systemes algebriques au moyen de 
parametrisations rationnelles des solutions et, de plus, le calcul d'une forme lineaire separante 
domine la complexite binaire de ces algorithmes. 

Etant donnes deux polynomes a deux variables de degre total au plus d avec des coefficients 
entiers de taille binaire au plus r, notre algorithme calcule une forme lineaire separante en 
Osid 8 + d 7 r) operations binaires dans le pire des cas, ameliorant la meilleure complexite connue 
pour ce probleme d'un facteur d 2 (ou O se refere a la complexite ou les facteurs polylogarithmiques 
sont omis et Ob se refere a la complexite binaire). 

Mots-cles : calcul formel, resolution de systemes polynomiaux, forme lineaire separante 
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1 Introduction 

One approach, that can be traced back to Kronecker, to solve a system of polynomials with 
a finite number of solutions is to compute a rational parameterization of its solutions. Such a 
representation of the (complex) solutions of a system is given by a set of univariate polynomials 
and associated rational one-to-one mappings that send the roots of the univariate polynomials 
to the solutions of the system. Such parameterizations enable to reduce computations on the 
system to computations with univariate polynomials and thus ease, for instance, the isolation of 
the solutions or the evaluation of other polynomials at the solutions. 

The computation of such parameterizations has been a focus of interest for a long time; 
see for example |ABRW96l IGVEK961 IRou99l IGLS01I IBSS031 IDET09| and references therein. 
Most algorithms first shear the coordinate system, with a linear change of variables, so that the 
input algebraic system is in generic position, that is such that no two solutions are vertically 
aligned. These algorithms thus need a linear separating form, that is a linear combination of the 
coordinates that takes different values when evaluated at different solutions of the system. Since 
a random linear form is separating with probability one, probabilist Monte-Carlo algorithms can 
overlook this issue. However, for deterministic algorithms, computing a linear separating form is 
critical, especially because this is, surprisingly, the current bottleneck for bivariate systems, as 
discussed below. 

We restrict our attention to systems of two bivariate polynomials of total degree bounded 
by d with integer coefficients of bitsize bounded by r. For such systems, the approach with 
best known worst-case bit complexity for computing a rational parameterization was first intro- 
duced by Gonzalez- Vega and El Kahoui [GVEK96] (see also |GVN02| V their initial analysis of 
B (d w + d 14 r 2 ) was improved by Diochnos et al. |DET091 Lemma 16 & Theorem 190 to (i) 
Os(d 10 + d 9 r) for computing a separating linear form and then (ii) Os{d 7 + d 6 r) for computing 
a parameterization. Computing a separating linear form is thus the bottleneck of the compu- 
tation of the rational parameterization. This is still true even when considering the additional 
phase of computing isolating boxes of the solutions (from the rational parameterization) , which 
state-of-the-art complexity is in Ob(g? 8 + d 7 r) [BLPR131 Proposition 19]. 

Main results. Our main contribution is a new deterministic algorithm of worst-case bit 
complexity Osid 8 + (Ft) for computing a separating linear form of a system of two bivariate 
polynomials of total degree at most d and integer coefficients of bitsize at most r (Theorem [15]). 
This decreases by a factor d 2 the best known complexity for this problem. 

As a direct consequence, using our algorithm for computing a separating linear form directly 
yields a rational parameterization within the same overall complexity as our algorithm, both in 
the approach of Gonzalez- Vega et al. |GVEK96[|DET09| and in that of Bouzidi et al. |BLPR13| 
for computing the alternative rational parameterization as defined in [Rou99j. As a byproduct, 
we obtain an algorithm for computing the number of (complex) distinct solutions of such systems 
within the same complexity, i.e. Osid 8 + d 7 r). 



lr The overall bit complexity stated in [DET09 Theorem 19] is Ob(c! 12 +d 10 r 2 ) because it includes the isolation 
of the solutions of the system. Note that this complexity trivially decreases to Os(d 10 + d?r) by the recent result 
of Sagraloff Sagl2] which improves the complexity of isolating the real roots of a univariate polynomial. Note 
also that Diochnos et al. IDET09I present two algorithms, the M_RUR and G_RUR algorithms, both with bit 
complexity Og(d 12 +d 10 r 2 ). However, this complexity is worst case only for the M_RUR algorithm. As pointed 
out by Emeliyanenko and Sagraloff [ES12:, the G_RUR algorithm uses a modular gcd algorithm over an extension 
field whose considered bit complexity is expected. 
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2 Overview and organization 

Let P and Q be two bivariate polynomials of total degree bounded by d and integer coefficients 
of maximum bitsize r. Let I = (P, Q) be the ideal they define and suppose that / is zero- 
dimensional. The goal is to find a linear form T = X + aY, with a e Z, that separates the 
solutions of /. 

We first outline a classical algorithm which is essentially the same as those proposed, for 
instance, in |DET091 Lemma 16] and [KS121 Theorem 240 and whose complexity, in Os(d + 
dPr), is the best known so far for this problem. This algorithm serves two purposes: it gives 
some insight on the more involved Os(<i 8 + d 7 r)-time algorithm that follows and it will be used 
in that algorithm but over Z///Z instead of Z. 

Known Oe(d 10 + d 9 r)-time algorithm for computing a separating linear form. The 

idea is to work with a "generic" linear form T = X + SY, where S is an indeterminate, and find 
conditions such that the specialization of S by an integer a gives a separating form. We thus 
consider P(T — SY, Y) and Q(T — SY, Y) , the "generic" sheared polynomials associated to P and 
Q, and R(T, S) their resultant with respect to Y , This polynomial has been extensively used 
and defined in several context; see for instance the related it-resultant [VdW30J. 

It is known that, in a set S of d 4 integers, there exists at least one integer a such that X + aY 
is a separating form for / since / has at most d 2 solutions which define at most ( d 2 ) directions in 
which two solutions are aligned. Hence, a separating form can be found by computing, for every 
a in S, the degree of the squarefree part of R(T, a) and by choosing one a for which this degree is 
maximum. Indeed, for any (possibly non-separating) linear form X + aY, the number of distinct 
roots of R(T,a), which is the degree of its squarefree part, is always smaller than or equal to 
the number of distinct solutions of /, and equality is attained when the linear form X + aY is 
separating (Lemma 01. The complexity of this algorithm is in Os{d w + d 9 r) because, for d 4 
values of a, the polynomial R(T,a) can be shown to be of degree 0(d 2 ) and bitsize 0(d 2 + dr), 
and its squarefree part can be computed in Os(d 6 + d 5 r) time. 

Oe(d 8 + d 7 r)-time algorithm for computing a separating linear form. To reduce the 
complexity of the search for a separating form, one can first consider to perform naively the 
above algorithm on the system 1^ = (P mod [i, Q mod ji) in Z M = Z//zZ, where /i is a prime 
number upper bounded by some polynomial in d and r (so that the bit complexity of arithmetic 
operations in Z M is polylogarithmic in d and r). The resultant i? M (T, S) of P(X — SY, Y) mod /i 
and Q(X — SY,Y) mod /i with respect to Y can be computed in Os(d 6 + d 5 r) bit operations 
and, since its degree is at most 2d 2 in each variable, evaluating it at S = a in Z M can be easily 
done in Osid 4 ) bit operations. Then, the computation of its squarefree part does not suffer 
anymore from the coefficient growth, and it becomes softly linear in its degree, that is Osid 2 ). 
Considering d 4 choices of a, we get an algorithm that computes a separating form for I ^ in 
Osid 8 ) time in Z^. However, a serious problem remains, that is to ensure that a separating form 
for 1^ is also a separating form for /. This issue requires to develop a more subtle algorithm. 

We first show, in Section l4TTl a critical property (Proposition^ which states that a separating 
linear form over Z^ is also separating over Z when fj, is a lucky prime number, which is, essentially, 
a prime such that the number of solutions of (P, Q) is the same over Z and over Z M . We then 
show in Sections 14.21 to 14.41 how to compute such a lucky prime number. We do that by first 

2 The stated complexity of [KS12, Theorem 24] is d B (d 9 T), but it seems the fact that the sheared polynomials 
have bitsize in 0(d + r) (see LemmaO instead of O(r) has been overlooked in their proof. 
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proving in Section that, under mild conditions on /i, the number of solutions over Z^ is always 
less than or equal to the number of solutions over Z (Proposition Hip and then by computing 
a bound on the number of unlucky primes (Proposition I12[) . Computing a lucky prime can 
then be done by choosing a /j, that maximizes the number of solutions over Z p among a set of 
primes of cardinality 0(d 4 + d 3 r). For that purpose, we present in Section [4.31 a new algorithm, 
of independent interest, for computing in 0(d i ) arithmetic operations the number of distinct 
solutions of the system 1^ in Z M ; this algorithm is based on a classical triangular decomposition. 
This yields, in Section 14.41 a Ob((P + d 7 r)-time algorithm for computing a lucky prime [i in 
0(d 4 + d 3 r). Now, /i is fixed, and we can apply the algorithm outlined above for computing a 
separating form for 7^ in Z M in Os(d 8 ) time (Section 14.51) . This form, which is also separating 
for I, is thus obtained with a total bit complexity of Os(<i 8 + d 7 r) (Theorem [18]). 

3 Notation and preliminaries 

We introduce notation and recall classical material about subresultant sequences. 

The bitsize of an integer p is the number of bits needed to represent it, that is |l°g.pj + 1 
(log refers to the logarithm in base 2). For rational numbers, we refer to the bitsize as to the 
maximum bitsize of its numerator and denominator. The bitsize of a polynomial with integer or 
rational coefficients is the maximum^ bitsize of its coefficients. As mentioned earlier, Ob refers 
to the bit complexity and O and Ob refer to complexities where polylogarithmic factors are 
omitted. 

In the following, [i is a prime number and we denote by Z^ the quotient Z//iZ. We denote by 
tpfj,: Z — > Z M the reduction modulo p., and extend this definition to the reduction of polynomials 
with integer coefficients. We denote by D a unique factorization domain, typically Z[X, Y], Z[X], 
7Ly\X\, Z or Z M . We also denote by F a field, typically Q, C, or Z^. 

For any polynomial P 6 OLY], let Lcx(P) denote its leading coefficient with respect to the 
variable X, dx(P) its degree with respect to X, and P its squarefree part. The ideal generated 
by two polynomials P and Q is denoted (P, Q) , and the affine variety of an ideal I is denoted by 
V(I); in other words, V(I) is the set of distinct solutions of the system {P, Q}. The solutions are 
always considered in the algebraic closure of P and the number of distinct solutions is denoted 
by #V(I). For a point a £ V(I), pi{cr) denotes the multiplicity of a in I. For simplicity, we 
refer indifferently to the ideal (P, Q) and to the system {P, Q}. 

We finally introduce the following notation which are extensively used throughout the paper. 
Given the two input polynomials P and Q, we consider the "generic" change of variables X — 
T - SY, and define the "sheared" polynomials P(T - SY, F), Q(T - SY, Y), and their resultant 
with respect to Y, 

R(T, S) = Res Y (P(T - SY, Y), Q{T ~ SY, Y)). (1) 

The complexity bounds on the degree, bitsize and computation of these polynomials are analyzed 
at the end of this section in Lemma [SJ Let Lr(S) be the leading coefficient of R(T, S) seen as 
a polynomial in T. Let Lp(S) and Lq(S) be the leading coefficients of P(T — SY, Y) and 
Q(T — SY, Y), seen as polynomials in Y; it is straightforward that these leading coefficients do 
not depend on T. In other words: 



L P (S) = Lc Y (P(T - SY,Y)), L Q (S) = Lc Y {Q{T - SY,Y)), L R {S) = Lc T (R(T, S)). 

(2) 
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3.1 Subresultant sequences 

We recall here the definition of subresultant sequences and some related properties. Note that 
we only use subresultants in Section [4.3.1l in which we recall a classical triangular decomposition 
algorithm. 

We first recall the concept of polynomial determinant of a matrix which is used in the definition 
of subresultants. Let M be an m x n matrix with m ^ n and Mj be the square submatrix of M 
consisting of the first m—1 columns and the i-th column of M, for i = m, . . . , n. The polynomial 
determinant of M is the polynomial defined as det(Af m )F"~ m + det(M m+ i)Y n ~( m+1 ) + . . . + 
det(M„). 

Let P = X^r=o a i^ % an d Q — Si=o ^ e ^ wo polynomials in H)[Y] and assume without loss 
of generality that p q. The Sylvester matrix of P and Q, Sylv(P, Q) is the (p+g)-square matrix 
whose rows are Y q ~ 1 P, . . . , P, Y P ~ 1 Q, . . . , Q considered as vectors in the basis Y p+q ~ l , . . . , Y, 1. 



Sylv{P,Q) 



\ 



p+q columns 



I a v a p -i 

dp dp — i 



bq b q -l 

b q bq-l 



«(J 



dp dp—\ 

bo 



b 



ao 



q rows 



> p rows 



bo) 



Definition 1. (<EK03, §3j). Fori = 0,..., mm{q,p - I), let Sylv^P, Q) be the (p + q - 2i) x 

(p + q — i) matrix obtained from Sylv(P, Q) by deleting the i last rows of the coefficients of P, 
the i last rows of the coefficients of Q, and the i last columns. 

Fori — 0, . . . , min(q,p— 1), the i-th polynomial subresultant of P and Q, denoted by SresY,i{P, Q) 
is the polynomial determinant of Sylvi{P, Q). When q = p. the q-th polynomial subresultant of 
PandQisb~ l QE 

SresY,i(P,Q) has degree at most i in Y, and the coefficient of its monomial of degree i 
in Y, denoted by sresY,i(P,Q), is called the i-th principal subresultant coefficient. Note that 
SresY,o(P,Q) = sreSY,o(P,Q) 1S the resultant of P and Q with respect to Y, which we also 
denote by i?esy(P, Q). Furthermore, the first (with respect to increasing i) nonzero subresultant 
of P, Q G 1D>[Y] is equal to their gcd in Fb[Y], up to a multiplicative factor in Fd, where Fd is 
the fraction field of P (e.g., if B = Z[X], then Fb = Q(X), the field of fractions of polynomials 
in Q[X]); more generally, the subresultants of P and Q are equal to either or to polynomials 
in the remainder sequence of P and Q in Euclid's algorithm (up to multiplicative factors in ID) 
[BPR06J §8.3.3 & Cor. 8.32]0 

We state below a fundamental property of subresultants which is instrumental in the tri- 
angular decomposition algorithm used in Section 14.3.11 For clarity, we state this property for 



3 It can be observed that, when p > q, the q-th subresultant is equal to bq 9 Q, however it is not defined 
when p = q. In this case, following El Kahoui, we extend the definition to bq Q assuming that the domain D is 
integral, which is the case in this paper. Note that it is important to define the g-th subresultant to be a multiple 
of Q so that Lemma [2] holds when Q(a, Y) is of degree q and divides P(a, Y) for some a. 

4 For efficiency, the computation of subresultant sequences are usually performed by computing the polynomial 
remainder sequences using some variants of Euclid algorithm instead of the aforementioned determinants. 
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bivariate polynomials P = Y2i=o a >Y l an d Q = X)i=o^^ 1 m with p ^ q. Note that 

this property is often stated with a stronger assumption that is that none of the leading terms 
a p (a) and b q (a) vanishes. This property is a direct consequence of the specialization property 
of subresultants and of the gap structure theorem; see for instance [EK03, Lemmas 2.3, 3.1 and 
Corollary 5.1]. 

Lemma 2. For any a such that a p (a) and b q (a) do not both vanish, the first Sresy,k(P, Q)(&, Y) 
(for k increasing) that does not identically vanish is of degree k and it is the gcd of P(a,Y) and 
Q(a,Y) (up to a nonzero constant in the fraction field ofU(a)). 

3.2 Complexity 

We recall complexity results, using fast algorithms, on subresultants and gcd computations. We 
also analyze complexities related to the computation of the "sheared" polynomials and their 
resultant. 

Lemma3 f |BPR061 Proposition 8.46] |Rei97l §8, Algorithm 7.3]). Let P and Q in Z[X t , . . .,X n ][Y] 
of coefficient bitsize t such that their degrees in Y are bounded by dy and their degrees in the 
other variables are bounded by d. 

• The coefficients of Sresy^(P,Q) have bitsize in 0(dyr). 

• The degree in Xj of Sresy^(P,Q) is at most 2d(dy — i). 

• Any subresultants Sresy^(P,Q) can be computed in 0(d n d Y +1 ) arithmetic operations, and 
OB(d n d Y +2 T) bit operations. 

In the sequel, we often consider the gcd of two univariate polynomials P and Q and the 
gcd-free part of P with respect to Q, that is, the divisor D of P such that P = gcd(P, Q)D. 
Note that when Q = P', the latter is the squarefree part P. 

Lemma 4 f |BPR06l Remark 10.19]). Let P and Q in ¥[X] of degree at most d. gcd(P, Q) or 
the gcd-free part of P with respect to Q can be computed with 0(d) operations in F. 

Lemma 5. Let P and Q in 1\X, Y] be of total degree at most d and maximum bitsize r. The 
sheared polynomials P(T — SY, Y) and Q(T — SY, Y) can be expanded in Os(d 4 + d 3 r) and their 
bitsizes are in 0(d + r). The resultant R(T, S) can be computed in Os(d 7 + d 6 r) bit operations 
and 0(d 5 ) arithmetic operations in Z; its degree is at most 2d 2 in each variable and its bitsize is 
m d{d 2 + dr). 

Proof. Writing P as X)i=oP»(^ r )-^ 1 ' expending the substitution of X by T — SY needs the 
computation of the successive powers (T — SY) 1 for i from 1 to d. The binomial formula shows 
that each polynomial (T — SY) 1 is the sum of i + 1 monomials, with coefficients of bitsize in 
0(i log i). Using the recursion formula (T — SY) 1 = (T— SY) 1 ^ 1 (T — SY), given the polynomial 
(T— SY) 1-1 , the computation of (T— SY) 1 requires 2i multiplications of coefficients having bitsize 
in O(ilogi), which can be done in Os(z 2 logi) bit operations. The complexity of computing all 
the powers is thus in Os(d 3 log<i). The second step is to multiply Pi(Y) by (T — SY) 1 for 
i = 1, ...,d. Each polynomial multiplication can be done with 0(d 2 ) multiplications of integers 
of bitsize in O(r) or in O(dlogd), and thus it can be done in Os((i 2 (T + dlogd)) bit operations 
and yields polynomials of bitsize 0(t + dlogd). For the d multiplications the total cost is in 
B (d 3 (Tj- dlogd)). Consequently the computation of P(T - SY,Y) and Q(T - SY,Y) can be 
done in OB(d 3 (T + d)) bit operations and these polynomials have bitsize in 0(r + d). In addition, 
since P(T — SY, Y) and Q(T — SY, Y) are trivariate polynomials of partial degree in all variables 
bounded by d, Lemma [3] implies the claims on R(T, S). □ 
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4 Separating linear form 

Throughout this section, we assume that the two input polynomials P and Q are coprime in 
Z[A, Y~], that they define the ideal J, that their maximum total degree d is at least 2 and that 
their coefficients have maximum bitsize r. Note that the coprimality of P and Q is implicitly 
tested during Algorithm 2] because they are coprime if and only if R(T, S) does not identically 
vanish. By abuse of notation, some complexity OB(d k ) may refer to a complexity in which 
polylogarithmic factors in d and in t are omitted. J M = (P M , Q^) denotes the ideal generated by 
Pfi — </v(-P) an( l Qfj. = Similarly as in Equation ([T]), we define i? M (T, S) as the resultant 

of P M (T - SY,Y) and Q M (T - SY, Y) with respect to Y, and we define L Pfi (S), L Qii (S), and 
Ln (S), similarly as in ©. We refer to the overview in Section [5] for the organization of this 
section. 



4.1 Separating linear form over Z M versus Z 

We first introduce the notion of lucky prime numbers fi which are, roughly speaking, primes 
/i for which the number of distinct solutions of (P, Q) does not change when considering the 
polynomials modulo (i. We then show the critical property that, if a linear form is separating 
modulo such a /z, then it is also separating over Z. 

Definition 6. A prime number fi is said to be lucky for an ideal I = (P, Q) if it is larger than 
2d 4 and satisfies 

MLp(S)) MLq(S)) MLr(S)) # and #V(I) = #F(J M ). 

Proposition 7. Let /i be a lucky prime for the ideal I = (P, Q) and let a < fi be an intege^ 
such that 

M L p(a)) M l q(*)) ^(Lfl(a)) ? 0. 
If X + aY separates V(I^), it also separates V(I). 

The key idea of the proof of Proposition [JJ as well as Propositions ITTI and [T2l is to prove the 
following inequalities (under the hypothesis that various leading terms do not vanish) 

> d T (P M (T,a)) < d T (R(T\a)) ^ #V(I) (3) 

and argue that the first (resp. last) one is an equality if X + aY separates V(J M ) (resp. V(I)), 
and that the middle one is an equality except for finitely many fi. We establish these claims 
in Lemmas [8] and [TO] As mentioned in Section [2j Lemma [8] is the key property in the classical 
algorithm for computing a separating form for /, which algorithm we will use over Z^ to compute 
a separating form for 1^ in Section T4.5I For completeness, we outline its proof (see [DET09, 
Lemma 16] or [BPR06, Proposition 11.23] for details). Recall that P and Q are assumed to be 
coprime but not P^ and Q M ; we address this issue in Lemma [Sj 

Lemma 8. If a e Z is such that Lp(a) Lq{a) ^ then dr(R(T, a)) ^ ffV(I) and they are equal 
if and only if X + aY separates V(I). The same holds over Z^, that is for P^, Q^, and 1^, 
provided P^ and are coprime. 

5 We assume a < fj, for clarity so that the linear form X + aY is "identical" in Z and in Z M . This hypothesis is 
however not needed and we actually prove that if X + (j>y.(a)Y separates then X + aY separates V(I). 
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Proof. Since Lp(a) Lq(o) 7^ 0, the resultant R(T,S) can be specialized at S = a, that is 
R(T, a) = Res Y {P(T - aY,Y),Q(T - aY,Y)). On the other hand, the sheared polynomials 
P(T—aY, Y) and Q(T—aY, Y) are coprime (since P and Q are coprime) and since Lp(a) Lq{o) 7^ 
0, they have no common solution at infinity in the V-direction. Thus the roots of their resultant 
with respect to Y are the T-coordinates of the (affine) solutions of I a — (P(T — aY, Y),Q(T — 
aY,Y)) (see for instance |CLQ971 §3.6 Proposition 3]). Hence, d T (R(T,a)) < #V(I a ) = #V{I). 
Moreover, if X + aY separates V(I), T = X + aY takes distinct values for every solution in V(I), 
and since these values of T are roots of R(T,a), dx(R(T, a)) ^ #V(7) and thus they are equal. 
Conversely, if d T {R{T,a)) = #V(I), R(T, a) admits #V(I) distinct roots T = X + aY which 
means that X + aY separates all the solutions of V(I). The same argument holds over Z M . □ 

The following two lemmas state rather standard properties. For completeness and readers' 
convenience, we provide proofs of these statements for which we could not find accurate refer- 
ences. 

Lemma 9. If <p fl (Lp(S)) ^(Lq(S')) 4>^{Lp{S)) ^ and [i > 4d 2 then P^ and are coprime 

Proof. Since (j) il {Lp{S)) 4*^{Lq(S)) ^ 0, the property of specialization of resultants [BPR06, 
Prop. 4.20] yields that 4>^(R(T,S)) = R»(T,S) and <j> ll {L R {S)) # implies that R^T.S) ^ 0. 
We can thus choose a value S = a € Z M so that R^(T,a) ^ and Lp (a) Lq (a) ^ 0; indeed, 
/i > Ad 2 and <j) ^{L r{S)) , Lp^(S) and Lq (S) have degree at most 2d 2 , d and d respectively 
(Lemma [3]). For such a value, the resultant of P^(T - aY, Y) and Q^(T - aY,Y) is R M (T,a). 
This resultant is not identically zero, the leading coefficients (in Y) Lp (a) and Lq (a) do not 
depend on T (see Eq. @) and are not zero, thus P^(T — aY, Y) and Q^{T — aY, Y) are coprime. 
The result follows. □ 

Lemma 10. Let \x be a prime and a be an integer such that ^(Ip(a)) </> m (Lq(<2)) <j)^{Lp{a)) ^ 0, 
then dr(R^(T,a)) < d T (R(T, a)). 

Proof. We first observe that the degree of R(T,a) and (j>^(R(T,a)) are the same. Indeed, 
<p^(Ln(a)) by hypothesis and thus Lp(a) =^ 0. Thus, the leading coefficient Lp(S) of 
R(T, S) does not vanish when specialized at S = a, and it also does not vanish when furthermore 
taken modulo /i. 

Now, the degree of the squarefree part of a univariate polynomial is its degree minus the degree 
of its gcd with its derivative. Furthermore, the degree of the gcd of two univariate polynomials 
cannot decrease by reduction modulo /i, if their leading coefficients do not both vanish modulo 
Li |vzGG99l Theorem 6.26]. The leading coefficients of R{T,a) and its derivative do not vanish 
modulo \x since <p ^(L p(a)) ^ 0, and thus 

d T {R(T,a)) = d T (R(T, a)) - d T (gcd(R(T, a), R'(T, a))) 

> d T (^(R(T, a))) - d T (gcd(^(R(T, a)),^(R'(T, a)))) 
= d T (^(R(T,a))). 

We finally argue that ^(E(T, a)) = i? M (T,a). By hypothesis, </> M (L P (5)) and (f>^(L Q {S)) 
do not identically vanish, thus we can specialize the resultant R by <p^, that is (j)^(R(T, S)) = 
Res Y (<l>^(P(T - SY,Y)),^(Q(T - SY,Y))) |BPR061 Proposition 4.20]. Hence, ^{R{T,S)) = 
R^(T, S). The evaluation at S = a and the reduction modulo /i commute (in Z^), thus 
4>fj,{R{T, a)) — R^{T, a) in Z M [T], which concludes the proof of the lemma. □ 
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Proof of Proposition Q By Lemmas [5J and 1 101 if fj, is a prime and a is an integer such that 
X + aY separates V(Ip) and 4>^(L P (a)) <j> ll {L Q {a)) 4> M (L R (a)) ^ 0, then 

- d T (Rjj, a)) < d T (R(T\aj) < #V(I). 

Since ^ is lucky, = #V(/) thus d T (R(T,a)) = and by Lemma [3J A + aF 

separates V^Pj. □ 



4.2 Number of solutions over versus Z 

As shown in Proposition [71 the knowledge of a lucky prime permits to search for separating linear 
forms over Z^ rather than over Z. We prove here two propositions that are critical for computing 
a lucky prime, which state that the number of solutions of 1^ = (P^, Q^) is always at most that 
of / = (P, Q) and give a bound on the number of unlucky primes. 

Proposition 11. Let I — (P,Q) be a zero-dimensional ideal in Z[X,Y]. If a prime (A is larger 
than 2d 4 and 

MLp(s)) MLq(s)) MLr(s)) # o 

then #V{I») < #V{I). 

Proof. Let /i be a prime that satisfies the hypotheses of the proposition. We also consider 
an integer a < \i such that <p^(Lp(a)) cj)f 1 (LQ(a)) (f),j,(L R (a)) ^ and such that the linear 
form X + aY is separating for 7^. Such an integer exists because (i) <f> fJ ,(Lp(S)), 4>^(Lq(S)), 
and (j>fj,(Lfi(S)) are not identically zero by hypothesis and they have degree at most d or 2d 2 
(Lemma [3J and, as mentioned earlier, (ii) 1^ is zero dimensional (Lemma [5]) and it has at 

most d 2 solutions which define at most ( d 2 ) directions in which two solutions are aligned. Since 
2d+2d 2 + ( d 2 ) < 2d 4 (for d 2), there exists such an integer a ^ 2d 4 < [i. With such an a, we can 
apply Lemmas [FJ and [TO] which imply that #V(/ /1 ) = d T (i? M (T, a)) d T (R(T,a)) #V(Pj. □ 

Next, we bound the number of primes that are unlucky for the ideal (P, Q). 

Proposition 12. An upper bound on the number of unlucky primes for the ideal (P, Q) can be 
explicitly computed in terms of d and r, and this bound is in 0(d + d 3 r). 

Proof. According to DefinitionlHl a prime p. is unlucky if it is smaller than 2d 4 , if 4>^{Lp{S)Lq(S) 
Lr{S)) = 0, or if #V(7) 7^ #V(Ifj,). In the following, we consider \i > 2d 4 . We first determine 
some conditions on /i that ensure that #V(Pj = #y(/ M ), and we then bound the number of fi 
that do not satisfy these conditions. As we will see, under these conditions, Lp(S), Lq(S), and 
Lp(S) do not vanish modulo /i and thus this constraint is redundant. 

The first part of the proof is similar in spirit to that of Proposition[ITJin which we first fixed a 
prime fi and then specialized the polynomials at S — a such that the form X + aY was separating 
for 1^. Here, we first choose a such that X + aY is separating for I. With some conditions on 
/z, Lemmas 151 and [TU1 imply Equation Q and we determine some more conditions on \x such that 
the middle inequality of ^ is an equality. We thus get #V(/u) #V(I) which is the converse 
of that of Proposition [Til and thus #y(/ M ) = ffV(I). In the second part of the proof, we bound 
the number of /x that violate the conditions we considered. 

Prime numbers such that #V{I) #V(i^). Let a be such that the form X + aY separates 
V(I) and L P (a)L Q (a)L R (a) ^ 00 Similarly as in the proof of Proposition [TTJ we can choose 
a 2d 4 . 

6 It can be shown that Lp(a) Lq(o) ^ implies Ln(a) ^ (see for instance BLPR13 Lemma 11]) but this 
property does not simplify the proof. 
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We consider any prime \i such that 4>^{Lp{a)) <p ll {LQ{a)) (ft^Lp^a)) ^ 0, so that we can 
apply Lemmas 151 and [TU1 Since X + aY separates V(I), these lemmas yield that 

> d T (R^(T,a)) < d T (R(T\aj) = #V(I). (4) 

Now, d T {R{T,a)) = d T {R(T,a))~d T (gcd{R{T,a),R'(T,a))), and similarly for R^ (T, a) . The 
leading coefficient of R(T, S) with respect to T is Lp(S), and since it does not vanish at S = a, 
Lp(a) is the leading coefficient of R(T, a). In addition, we have shown in the proof of Lemma [TU1 
that RfiiT, a) — cf)^{R{T, a)), hence the hypothesis 4> ^(L p(a)) ^ implies that R^(T, a) and 
R(T, a) have the same degree. It follows that, if fj, is such that the degree of gcd(i?(T, a), R'(T, a)) 
does not change when R(T, a) and R'(T, a) are reduced modulo fi, we have 

^ d T (R^T,a)) = d T (R(T\aj) = #V(I). 

Since 4> fM (Lp(a)) (^^(Lq^o)) <j) ^(L r(o)) ^ 0, we can apply Proposition Qj] which yields that 
< and thus #V(I„) = #V(J). 

Therefore, the primes /j, such that #^(1^) ^ #V(I) are among those such that Lp(a), Lq{o) 
or Lp(a) vanishes modulo /i or such that the degree of gcd(R(T , a) , R' (T , a)) changes when 
R(T, a) and R'(T, a) are reduced modulo /x. Note that if Lp(a), Lg(a), and Lp(a) do not vanish 
modulo /i, then Lp{S), Lq{S), and Lp(S) do not identically vanish modulo /x. 

Bounding the number of prime divisors ofLp{a), Lq{o) orLp(a). The number of prime divisors 
of an integer z is bounded by its bitsize. Indeed, its bitsize is [log z\ + 1 and its factorization into 
w (possibly identical) prime numbers directly yields that 2 W ^ Yi7=i z i = z = 2 log2 ^ 2L logz J +1 . 
We can thus bound the number of prime divisors by bounding the bitsize of Lp(a), Lq(o) and 
Lfi(a). We start by bounding the bitsize of Lp(S), Lq{S) and Lp(S). 

Each coefficient of P(T — SY, Y) has bitsize at most t' =t + c? log d + logfd + 1) + 1. Indeed, 
(T — SY) % is a sum of i + 1 monomials whose coefficients are binomials ( l ^ d ) < d d . The claim 
follows since each coefficient of P(T — SY, Y) is the sum of at most d + 1 such binomials, each 
multiplied by a coefficient of P(X, Y) which has bitsize at most r. We get the same bound for the 
coefficients of Q(T — SY, Y) and thus for Lp(S) and Lq(S) as well. Concerning Lp(S), we have 
that R(T, S) is the resultant of P(T-SY, Y) and Q(T-SY, Y) thus, by Lemmai its coefficients 
are of bitsize 0{dr'). In fact, an upper bound can be explicitly computed using, for instance, the 
bound of [BPR06, Theorem 8.46] which implies that the resultant of two trivariate polynomials 
of total degree d! and bitsize r' has bitsize at most 2d'(r' + [log 2d'J + 1) + 2(Llog(2d' 2 + 1)J + 1), 
which is in 0(d 2 + dr) in our case. Therefore, Lp(S), Lq{S) and Lp(S) have degree at most 
2d 2 and their bitsizes can be explicitly bounded by a function of d and r in 0(d 2 + dr). 

Finally, since a ^ 2d 4 , its bitsize is at most a = 41ogd+2. It is straightforward that the result 
of an evaluation of a univariate polynomial of degree at most d! and bitsize r' at an integer value 
of bitsize a has bitsize at most d'a + r' + log(<f + 1) + 1. Here d' ^ 2d 2 and t' is in 0(d 2 + dr). 
We thus proved that we can compute an explicit bound, in 0(d 2 + dr), on the number of prime 
divisors of Lp(a), Lq(a), or Lp(a). 

Bounding the number of prime (A such that the degree of gcd( R(T, a), R'(T, a)) changes when 
R(T,a) and R'(T,a) are reduced modulo \x. By |Yap00, Lemma 4.12], given two univariate 
polynomials in Z[X] of degree at most d' and bitsize at most r', the degree of their gcd changes 
when the polynomials are considered modulo fi on a set of fi whose product is boundecjf] by 
(2 T y/d' + l) 2d +2 . As noted above, the number of such primes n is bounded by the bitsize of 

7 |Yap00] Lemma 4.12] states the bound as N 2d + 2 where N is the maximum Euclidean norm of the vectors of 
coefficients of the polynomials. 
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Algorithm 1 Triangular decomposition [GVEK96, LMM RSllj 

Input: P,Q in ¥[X, Y] coprime such that Lcy(P) and Lcy(Q) are coprime[lciy (Q) ^ dy(P), 
and 

A G ¥[X] squarefree. 

Output: Triangular decomposition {(Ai(X), Bi(X,Y))}i^x such that V({P,Q,A)) is the dis- 
joint union of the sets V((Ai(X), Bi(X, Y))) ieX 
l: Compute the subresultant sequence of P and Q with respect to Y: B t — Sresy,i(P, Q) 
2-. Go = gcd{Res Y (P,Q), A) and T = 
3: for i = 1 to dy(Q) do 
4: Gi = gcd(Gj_i , sres Y ,i(P, Q)) 

5: Aj = Gi-i/Gi 

6: if > 0, add (A 4 , B 4 ) to T 

7: end for 

8: return T = {(A t (X), B z (X,Y))} teX 



this bound, and thus is bounded by (d' + 1) (2r ; + log(d' + 1)) + 1. Here <f < 2d 2 and r' is 
in 0(d 2 + dr) since our explicit bound on the bitsize of Lr{o) holds as well for the bitsize of 
R(T,a), and, since R(T,a) is of degree at most 2d 2 , the bitsize of R'(T,a) is bounded by that 
of R(T,a) plus 1 + \og2d 2 . We thus obtain an explicit bound in 0(d 4 + d 3 r) on the number of 
primes /i such that the degree of gcd(R(T,a),R'(T,a)) changes when R(T,a) and R'(T,a) are 
reduced modulo \i. 

The result follows by summing this bound with the bounds we obtained on the number of 
prime divisors of Lp(a), Lq(o), or Lr(o), and a bound (e.g. 2d ) on the number of primes 
smaller than 2d 4 . □ 

4.3 Counting the number of solutions over Z M 

For counting the number of (distinct) solutions of (P^Qfj), we use a classical algorithm for 
computing a triangular decomposition of an ideal defined by two bivariate polynomials. We first 
recall this algorithm, slightly adapted to our needs, and analyze its arithmetic complexity. 

4.3.1 Triangular decomposition 

Let P and Q be two polynomials in ¥[X, Y}. A decomposition of the solutions of the sys- 
tem {P, Q} using the subresultant sequence appears in the theory of triangular sets |Laz911 
LMMRS11 and for the computation of topology of curves [GVEK96] . 

The idea is to use Lemma [2] which states that, after specialization at X = a, the first (with 
respect to increasing i) nonzero subresultant Sresy,i(P, Q)(&, Y) is of degree i and is equal to the 
gcd of P(a, Y) and Q(a, Y). This induces a decomposition of the system {P, Q} into triangular 
subsystems ({Ai(X), Sresy ^P, Q)(X, Y)}) where a solution a of Ai(X) = is such that the 
system {P(a, Y), Q{a, Y)} admits exactly i roots (counted with multiplicity), which are exactly 
those of Sresy j i(P,Q)(a,Y). Furthermore, these triangular subsystems are regular chains, i.e., 
the leading coefficient of the bivariate polynomial (seen in Y) is coprime with the univariate 
polynomial. For clarity and self-containedness, we recall this decomposition in Algorithm [U 
where, in addition, we restrict the solutions of the system {P, Q} to those where some univariate 
polynomials A(X) vanishes (A could be identically zero). 
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The following lemma states the correctness of Algorithm Q] which follows from Lemma [5] and 
from the fact that the solutions of P and Q project on the roots of their resultant. 

Lemma 13 ([GVEK96, LMMRSllJ). Algorithm^ computes a triangular decomposition {(Ai(X), 
Bi(X,Y))}i & x such that 

(i) the set V((P,Q, A)) is the disjoint union of the sets V((Ai(X), Bi(X,Y)))i^x, 

(ii) riiei^i * s squarefree, 

(Hi) Va € V{Ai), Bi{a,Y) is of degree i and is equal to gcd(P(a, Y), Q(a,Y)), and 
(iv) Ai(X) and Lcy(Bi(X,Y)) are coprime. 

In the following lemma, we analyze the complexity of Algorithm [T] for P and Q of degree 
at most dx in X and dy in Y and A of degree at most d 2 , where d denotes a bound on the 
total degree of P and Q. We will use Algorithm [T] with polynomials with coefficients in F = Z M 
and we thus only consider its arithmetic complexity in F. Note that the bit complexity of this 
algorithm, over Z, is analyzed in [DET091 Theorem 19] and its arithmetic complexity is thus 
implicitly analyzed as well; for clarity, we provide here a short proof. 

Lemma 14. Algorithm[I\ performs 0(dxd Y ) — 0(d 4 ) arithmetic operations in F. 

Proof. From Lemma[3] (note that this lemma is stated for the coefficient ring Z, but the arithmetic 
complexity is the same for any field F), the subresultant sequence of P and Q can be computed in 
0(dxd Y ) arithmetic operations, and the resultant as well as the principal subresultant coefficients 
have degrees in 0(dxdy). The algorithm performs at most dy gcd computations between these 
univariate polynomials. The arithmetic complexity of one such gcd computation is soft linear in 
their degrees, that is 0(dxdy) (Lemma 2]). Hence the arithmetic complexity of computing the 
systems {Si}i = i...d is 0(dxd Y ). The total complexity of the triangular decomposition is hence 
dominated by the cost of the subresultant computation, that is 0(dxd Y ) = 0(d i ). □ 

4.3.2 Counting the number of solutions over Z M 

Algorithm [2 computes the number of distinct solutions of an ideal 1^ = (P M , Q M ) of Z^X, Y]. 
Roughly speaking, this algorithm first performs one triangular decomposition with the input 
polynomials P M and Q^, and then performs a sequence of triangular decompositions with polyno- 
mials resulting from this decomposition. The result is close to a radical triangular decomposition 
and the number of solutions of 1^ can be read, with a simple formula, from the degrees of the 
polynomials in the decomposition. Note that Algorithm [2 as Algorithm [TJ is valid for any base 
field F but, since we will only use it over Z M , we state it and analyze its complexity in this case. 

Lemma 15. Algorithm^ computes the number of distinct solutions o/(P AI ,Q M ). 

Proof. The shear of Line [T] allows to fulfill the requirement of the triangular decomposition 
algorithm, called in Line|51 that the input polynomials have coprime leading coefficients. Once the 
generically sheared polynomial P M (X — SY, Y) is computed (in Z^S, X, Y]), a specific shear value 
b £ Z M can be selected by evaluating the univariate polynomial Lp^(S) = Lcy(P tl (X — SY, Y)) 
at d + 1 elements of Z M . The polynomial does not vanish at one of these values since it is of 
degree at most d and d < /i. Note that such a shear clearly does not change the number of 
solutions. 

According to Lemma [TBI the triangular decomposition {(Ai(X), Bi(X, Y))}j £ x computed 
in Line [5] is such that the solutions of (P M ,Q M ) is the disjoint union of the solutions of the 

8 The hypoth esis that Lc Y (P) and Lc Y (Q) are coprime can be relaxed by applying the algorithm recursively 
(see LMMRS11 for details). We require here this hypothesis for complexity issues. 
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Algorithm 2 Number of distinct solutions of (P^,,Q^) 

Input: Pf+jQn in Z M [A, Y] coprime, larger than their total degree 
Output: Number of distinct solutions of (P M , Q^) 

l: Shear P^ and Q M by replacing X by X - bY with 6 e Z M so that Lc Y (P ll {X - bY, Y)) e Z M 

2: Triangular decomposition: {(^(X), Bi(X, Y))} ieX = Algorithm Q] (P^, Q^, 0) 

3: for all i € I do 

4: C 2 (X) = LcyiB^X, Y))- 1 mod 

5: Y) = CipQB^Y) mod APO 

6: Triangular decomp.: 

{{A ij {X),B ij {X,Y))} jeJi = Algorithm ffl (b^X, Y), 9§ ^' Y) , A t (X)) 
7: end for 

8: return yV eX (i - T,j &Ji 3 dx{A %j )^ 



(Ai(X) , Bi(X , Y)), for i el. It follows that the number of (distinct) solutions of 1^ = (P^, Q^) 
is 

#v(^) = E E MW^y))- 

i£l a£V(Ai) 

Since Bi{a, Y) is a univariate polynomial in Y , 
d Y (Bi(a,Y)) = d Y (Bi(a,Y)) - dy(gcd(_B l (a, Y),B^(a, Y))), where 5-(a,Y) is the derivative 
of Bi(a,Y), which is also equal to ^-(a,Y). By Lemma [T^l dy (Bi(a, Y)) = i, and since the 
degree of the gcd is zero when Bi(a, Y) is squarefree, we have 



#nw = E 



E E dr(gcd(Bi(a,Y),^(a,y))) 



(5) 



i aeV(Ai) aeV(Ai) , 

\ Bi(a,Y) not sqfr. / 



The polynomials Ai{X) are squarefree by Lemma 1131 so Ylaev(A-) i is equal to i dx{Ai). 

We now consider the sum of the degrees of the gcds. The rough idea is to apply Algo- 
rithm [1] to Bi(X,Y) and ^^(X,Y), for every i El, which computes a triangular decomposi- 
tion {{A ij (X),B ij {X,Y))} jeJi such that, for a e V(A tJ ), d Y (gcd(fl,(a, Y), ff(a,Y))) = j (by 
LemmaHni), which simplifies Equation {5J into #V(I /1 ) = (* dx(Ai) - Saev(4 y ) J 

However, we cannot directly apply Algorithm [1] to Bi(X, Y) and ^-(X, Y) because their leading 
coefficients in Y have no reason to be coprime. 

By Lemma flUl Ai(X) and Ley (Bi(X , Y)) are coprime, thus Lc Y (Bi(X, Y)) is invertible mod- 
ulo (by Bezout's identity); let C t (X) be this inverse and define Bi(X, Y) = C l (X)B i (X, Y) 
modAi(X) (such that every coefficient of Ci(X)Bi(X,Y) with respect to Y is reduced modulo 
Ai(X)). The leading coefficient in Y of Bi(X,Y) is equal to 1, so we can apply Algorithm Q] 

to Bi(X,Y) and ff*-(X,Y). Furthermore, if A 4 (a) = 0, then Bj(a,Y) = C l {a)B l {a,Y) where 
Cj(a) ^ since Ci(a)Lcy(Bi(a,Y)) = 1. Equation §5§ can thus be rewritten by replacing Bi 
by Bi. 

By Lemma fT31 for every i € I, Algorithm [T] computes a triangular decomposition {(Ajj(X), 
Bij(X, Y))}j eJz such that V({B{, ^-,Ai)) is the disjoint union of the sets V((Aij (X), Bij(X, Y))), 
j G Ji, and for all a € V(Aj 3 -), (gcd(^(a, Y), ffKa, ^))) = J- Since the set of a e V(A l ) such 
that Bi(a, Y) is not squarefree is the projection of the set of solutions (a, /3) £ V((Bi, ^y, Ai)) 
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we get 



#v(i fl ) = ^2[id x (A)-J2 E 3 



Aij(X) is squarefree (Lemma ITU)) so 



a£V(A i:1 )J 



j dx (Aij ) , which concludes the proof. 



□ 



The next lemma gives the arithmetic complexity of the above algorithm. 

Lemma 16. Given P M ,<5/j in Z M [X, Y] of total degree at most d, Algorithm^ performs 0(d i ) 
operations in Z^. 

Proof. According to Lemma [SJ the sheared polynomials P(T — SY, Y) and Q(T — SY, Y) can be 
expanded in Ob(^ 4 + d 3 r) bit operations in Z. Thus the sheared polynomials P^(X — SY, Y) and 
Q^{X — SY, Y) can obviously be computed in 0(d 4 ) arithmetic operations in Z M |f| The leading 
term Lcy{P^{X — SY, Y)) 6 Z M [S*] is a polynomial of degree at most d and a value b S Z M that 
does not vanish it can be found by at most d + 1 evaluations. Each evaluation can be done 
with 0(d) arithmetic operations, thus the shear value b can be computed in 0(d 2 ) operations. It 
remains to evaluate the generically sheared polynomials at this value S = b. These polynomials 
have 0(d 2 ) monomials in X and Y, each with a coefficient in Z /J [S I ] of degree at most d; since the 
evaluation of each coefficient is soft linear in d, this gives a total complexity in 0{d ) for LineQ] 
According to Lemma [T^tl the triangular decomposition in Line [5] can be done in 0{d A ) arith- 
metic operations. In Lines 0] and [SJ Ci(X) and Bi(X,Y) can be computed by first reducing 
modulo Ai(X) every coefficient of Bi(X, Y) (with respect to Y). There are at most i coefficients 
(by definition of subresultants) and the arithmetic complexity of every reduction is soft linear in 
the degree of the operands [vzGG99 ( Corollary 11.6], which is 0(d 2 ) by Lemma[3] The reduction 
of Bi(X, Y) modulo Ai(X) can thus be done with 0{d 3 ) arithmetic operations in Z M . Now, in 
Line 21 the arithmetic complexity of computing the inverse of one of these coefficients modulo 
Ai(X) is soft linear in its degree [vzGG99, Corollary 11.8], that is 0{di) where di denotes the 
degree of Aj (X). Furthermore, computing the product modulo Ai{X) of two polynomials which 
are already reduced modulo Ai(X) can be done in 0(di) arithmetic operations [vzGG99 ; Corol- 
lary 11.8]. Thus, in LineO the computation of E>i{X, Y) can be done with i such multiplications, 
and thus with 0{idi) arithmetic operations. Finally, in LineEl the triangular decomposition can 
be done with 0(i 3 di) arithmetic operations by Lemma PHI The complexity of Lines 0)15] is thus 
in 0(d 3 + i 3 di) which is in 0(d 3 + d 2 idA. The total complexity of the loop in Line [3] is thus 
0(d 4 + d 2 J2% idi) which is in 0(d A ) because the number of solutions of the triangular system 
(Ai(X), P>i(X, Y)) is at most the degree of Ai times the degree of Bi'mY, that is idi, and the 
total number of these solutions for i G X is that of (P,Q), by Lemma IT3l which is at most 
d 2 by Bezout's bound. This concludes the proof because the sum in Line [S] can obviously be 
done in linear time in the size of the triangular decompositions that are computed during the 
algorithm. □ 

4.4 Computing a lucky prime and the number of solutions over Z 

We now show how to compute the number of solutions of I = (P, Q) over Z and a lucky prime 
for that ideal. 

9 It can easily be proved that these polynomials can be computed in O(cfi) arithmetic operations but the 0(d 4 ) 
bound is sufficient here. 
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Algorithm 3 Number of distinct solutions and lucky prime for (P, Q) 

Input: P, Q in Z[X, Y] coprime of total degree at most d and bitsize at most r 
Output: The number of solutions and a lucky prime /z for (P, Q) 

l: Compute P(T- SY,Y), Q(T - SY,Y), R(T,S) = Resy(P(T - SY,Y),Q(T - SY,Y)) 

2: Compute a set B of primes larger than 2d 4 and of cardinality 0(c? 4 + d 3 r) that contains a 

lucky prime for (P, Q) (see Proposition [T2]) 

3: for all /i in B do 

4: if ^{L P {S)) M l q(s)) M l r(s)) # o then 

5: Compute Nf, = Algorithm (P), ^(Q)) 

6: end if 

7: end for 

8: return (//, iV^) such that iV^ is maximum 



Lemma 17. Algorithm^ computes the number of distinct solutions and a lucky prime for (P, Q) 
in Osid? + d t) bit operations. Moreover, this lucky prime is upper bounded by 0(d 4 + d 3 r). 

Proof. We first prove the correctness of the algorithm. Note first that for all \i € B satisfying 
the constraint of LineHJ Lemma implies that ^(P) and ^(Q) are coprime. It follows that 
Algorithm [5] computes the number of distinct solutions — #V(I^) of 1^. By Proposition [HI 
and Definition [6j $C #V(I) and the equality holds if /i is lucky for I. Since the set B of 
considered primes contains a lucky one by construction, the maximum of the computed value of 

is equal to #V(I). Finally, the \x associated to any such maximum value of is necessarily 
lucky by the constraint of Line [3] and since \i is larger than 2d . 

We now prove the complexity of the algorithm. The polynomials P(T — SY, Y),Q(T— SY, Y) 
and their resultant R(T, S) can be computed in Osid 7 + d 6 r) bit operations by Lemma [S] 

Proposition rj2] states that we can compute an explicit bound H(e2, r) in 0(d 4 + d 3 r) on the 
number of unlucky primes for (P,Q). We want to compute in Line [5] a set B of at least S(d, r) 
primes (plus one) that are larger than 2c? 4 . For computing B, we can thus compute the first 
S(d, r) + 2d 4 + 1 prime numbers and reject those that are smaller than 2c? 4 . The bit complexity of 
computing the r first prime numbers is in 0(r) and their maximum is in 0(r) |vzGG99l Theorem 
18.10]. We can thus compute the set of primes B with Ofl(d 4 + g! 3 t) bit operations and these 
primes are in 0{d A + c? 3 r). 

In Line 01 we test to zero the reduction modulo /i of three polynomials in 1t[S] which have 
been computed in Line [1] and which are of degree 0(d 2 ) and bitsize 0(d 2 + dr) in the worst case 
(by Lemma [5]). For each of these polynomials, the test to zero can be done by first computing 
(once for all) the gcd of its 0(d 2 ) integer coefficients of bitsize 0(d 2 + dr). Each gcd can be 
computed with a bit complexity that is soft linear in the bitsize of the integers |Yap00 ( §2. A. 6] 
(and the bitsize clearly does not increase), hence all the gcds can be done with a bit complexity 
of OB{d 2 (d 2 + dr)). Then the reduction of each of the three gcds modulo all the primes in B can 
be computed via a remainder tree in a bit complexity that is soft linear in the total bitsize of 
the input |MB741 Theorem 1], which is dominated by the sum of the bitsizes of the 0(d 4 + d 3 r) 
primes in B each of bitsize in O(l). Hence, the tests in Line [4] can be done with a total bit 
complexity in Os(c? 4 + g! 3 t). 

In Line [SI we compute, for 0(g? 4 + d 3 r) prime numbers fi, <j>^(P) and <^(<3) and call Algo- 
rithm [2] to compute the number of their common solutions. Using the same argument as above, 
each coefficient of P and Q can be reduced modulo the 0(c? 4 + d 3 r) primes with Os(rf 4 + d 3 r) 
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Algorithm 4 Separating form for (P, Q) 

Input: P, Q in Z[X, Y] of total degree at most d and defining a zero-dimensional ideal / 
Output: A linear form X + aY that separates V(I), with a < 2d 4 and Lp(a) Lq(o) ^ 

1: Apply Algorithm [3] to compute the number of solutions #V(I) and a lucky prime /z for / 

2: Compute P{T - SY, Y), Q(T - SY, Y) and R(T, S) = Res Y (P(T - SY, Y),Q(T - SY, Y)) 

3: Compute R^T, S) = ^(i?(T, S)) 

4: Compute T M (5) - ML P (S)) M l q(S)) M L r(S)) 

5: a := 

6: repeat 

7: Compute the degree N a of the squarefree part of R^ (T, a) 
8: a := a + 1 

9: until T p (a) ^ C0and A Q = 

10: return The linear form X + aY 



bit operations, thus the bit complexity of computing all the <p^{P) and 4>^{Q) for fi in B is in 
Op,{d e + d 5 r). By Lemma [TBI the bit complexity of Algorithm [2] is in Op(d 4 ). Hence, the total 
bit complexity of Line [5] is Op (d s + d t) . and so is the overall bit complexity of Algorithm [3] □ 

4.5 Computing a separating linear form 

Using Algorithm [31 we now present our algorithm for computing a linear form that separates the 
solutions of (P, Q) . 

Theorem 18. Algorithm^ returns a separating linear form X + aY for (P,Q) with a < 2d 4 . 
The bit complexity of the algorithm is in Op(d s + d 7 r). 

Proof. We first prove the correctness of the algorithm. We start by proving that the value a 
returned by the algorithm is the smallest nonnegative integer such that X + aY separates V(/ M ) 
with T Jli (a) 0. Note first that, in Line [3J <f)^(R(T, S)) is indeed equal to R^TjS) which is 
defined as Res Y (P^(T - SY, Y), Q M (T - SY, Y)) since the leading coefficients L P (S) and L Q (S) 
of P(T— SY, Y) and Q(T — SY, Y) do not identically vanish modulo /x (since n is lucky), and thus 
Lp (S) = 4> fi (Lp(S)), similarly for Q, and the resultant can be specialized modulo \i [BPR06, 
Proposition 4.20]. Now, Line [9] ensures that the value a returned by the algorithm satisfies 
T M (a) ^= 0, and we restrict our attention to nonnegative such values of a. Note that T M (a) ^ 
implies that Al (Lp(a)) </> m (Lq(ci)) (p^Lp^a)) ^= because the specialization at S — a and 
the reduction modulo /i commute (in Z M ). For the same reason, Lp^(S) — <j) ll {Lp{S)) implies 
Lp (a) = ^> /i (Lp(a)) and thus Lp ii (a) =/= and, similarly, Lq^^o) =/= 0. On the other hand, 
Line implies that the value a is the smallest that satisfies dpiR^iT, a)) = #V(I), which is also 
equal to ffV{I^) since \i is lucky. Lemma[8]thus yields that the returned value a is the smallest 
nonnegative integer such that X + aY separates V(i^) and T M (a) ^ 0, which is our claim. 

This property first implies that a < 2d 4 because the degree of T M is bounded by 2(d 2 + d), the 
number of non-separating linear forms is bounded by ( d 2 ) (the maximum number of directions 
defined by any two of d 2 solutions), and their sum is less than 2d 4 for d ^ 2. Note that, since \x 
is lucky, 2d 4 < /i and thus a < fi. The above property thus also implies, by Proposition [7l that 
X + aY separates V(I). This concludes the proof of correctness of the algorithm since a < 2d 4 
and Lp{a) Lq(o) ^ (since T M (a) ^ 0). 

10 T fx(S) is a polynomial in r L^\S\ and we consider T Al (a) in Z M . 
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We now focus on the complexity of the algorithm. By Lemma [T71 the bit complexity of 
Line Q] is in 0s(<i 8 + d 7 r). The bit complexity of Lines [2] to [5] is in Os(d 7 + d e r). Indeed, by 
Lemma [SJ R(T, S) has degree 0{d 2 ) in T and in S, bitsize 0(d 2 + dr), and it can be computed 
in Osid 7 + d 6 r) time. Computing R^(T, S) — (f>^(R(T, S)) can thus be done in reducing 0(d 4 ) 
integers of bitsize 0(d 2 + dr) modulo \i. Each reduction is soft linear in the maximum of the 
bitsizes [vzGG99, Theorem 9.8] thus the reduction of R(T, S) can be computed in OB(d 4 (d 2 +dr)) 
time (since \i has bitsize in 0(\og(d 4 + d 3 r)) by Lemma lTTllI 11 ! The computation of T M can clearly 
be done with the same complexity since each reduction is easier than the one in Line [21 and the 
product of the polynomials (which does not actually need to be computed since we are only 
interested in whether T M (a) vanishes) can be done with a bit complexity that is soft linear in 
the product of the maximum degrees and maximum bitsizes [vzG G99l Corollary 8.27]. 

We proved that the value a returned by the algorithm is less than 2d 4 , thus the loop in Line 
[5] is performed at most 2d 4 times. Each iteration consists of computing the squarefree part of 
i? /i (T, a) which requires Os{d 4 ) bit operations. Indeed, computing R^(T,S) at S — a amounts 
to evaluating, in Z M , 0{d 2 ) polynomials in S, each of degree 0(d 2 ) (by Lemma [5]). Note that 
a does not need to be reduced modulo /i because a < 2d 4 and 2d 4 < fi since /i is lucky. Thus, 
the bit complexity of evaluating in 1^ each of the 0(d 2 ) polynomials in S is the number of 
arithmetic operations in Z M , which is linear the degree that is 0(d 2 ), times the (maximum) 
bit complexity of the operations in Z^, which is in OsQogdr) since /i is in 0(d 4 + d 3 r) by 
Lemma 1171 Hence, computing R^(T,a) can be done in Os{d 4 ) bit operations. Once i? /i (T, a) 
is computed, the arithmetic complexity of computing its squarefree part in Z M is soft linear in 
its degree (Lemma H]), that is 0(d 2 ), which yields a bit complexity in Osid 2 ) since, again, /i is 
in 0(d 4 + d 3 r). This leads to a total bit complexity of Os(<i 8 ) for the loop in Lines |5] to [51 and 
thus to a total bit complexity for the algorithm in Ob(c£ 8 + d 7 r). □ 

5 Conclusion 

We presented an algorithm of bit complexity Os(<i 8 + d 7 r) for finding a separating linear form of 
a bivariate system, improving by a factor d 2 the best known algorithm for this problem. Find- 
ing a separating linear form is at the core of approaches based on rational parametrizations for 
solving such systems and, as mentionned in the introduction, our algorithm directly improves 
the bit complexity of the classical method for computing rational parametrizations via subresul- 
tants [GVEK96J. Interestingly, computing a separating linear form remains the bit-complexity 
bottleneck in this algorithm [DET09] and we show in [BL PR13] that this is also the bottleneck 
for computing the rational parameterization of [Rou99j . This thus yields algorithms of bit com- 
plexity Os(ci 8 +d 7 T) for computing rational parameterizations of bivariate systems and we show 
in [BLPR13J that isolating boxes can be computed with a smaller bit complexity. It should be 
stressed that this complexity matches the recent one presented by Emeliyanenko and Sagraloff 
[ES12] for "only" computing isolating boxes of the real solutions. Furthermore, rational parame- 
terizations yield efficient algorithms for various related problems, such as evaluating the sign of 
a polynomial at the solutions of the system, or solving over-constrained systems [BLPR13] . 

One interesting open problem is to determine how, or whether, this contribution may impact 
the complexity of algorithms, on plane algebraic curves, that require finding a shear that ensures 

lx Note that i? M (T, S) can be computed more efficiently in Os(d 5 + cPt) bit operations as the resultant of 
P M (T — SY, Y) and Qfi(T — SY, Y) because computing these two polynomials and their reduction can be done in 
Ob{<1 4 + cPt) bit operations (Lemma|5[ and their resultant can be computed with 0(d 5 ) arithmetic operations 
in (Lemma[3} and thus with Ob(c! 5 ) bit operations since fi has bitsize in 0(log(d 4 + d 3 r)). 
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the curves to be in "generic" position (such as |KS111 IGVN02| ). In particular, we hope that this 
result may improve the complexity of computing the topology of an algebraic plane curve. 
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